{
	"id": "1a4dfdd4-9a7e-43cd-9eb3-01a870187ab8",
	"created_at": "2026-04-06T00:08:27.10153Z",
	"updated_at": "2026-04-10T03:20:57.71652Z",
	"deleted_at": null,
	"sha1_hash": "a9349acb8273da5b13aa0f06ce3708d3b0f01aa8",
	"title": "LockBit ransomware moves quietly on the network, strikes fast",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1838283,
	"plain_text": "LockBit ransomware moves quietly on the network, strikes fast\r\nBy Ionut Ilascu\r\nPublished: 2020-10-21 · Archived: 2026-04-05 19:43:11 UTC\r\nLockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the\r\nvictim network.\r\nJoining the ransomware-as-a-service (RaaS) business in September 2019, LockBit is atypical in that it’s driven by automated\r\nprocesses for quick spreading across the victim network, identifying valuable systems and locking them up.\r\nLockBit attacks leave few traces for forensic analysis as the malware loads into the system memory, with logs and\r\nsupporting files removed upon execution.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nScripts and backdoors\r\nAfter investigating a series of eight incidents at smaller organizations, security researchers at Sophos were able to add more\r\npieces to the puzzle that is LockBit.\r\nIn one case, they found that the attack began from a compromised Internet Information Server that launched a remote\r\nPowerShell script calling another script embedded in a remote Google Sheets document.\r\nThis script connects to a command and control server to retrieve and install a PowerShell module for adding a backdoor and\r\nestablish persistence.\r\nTo evade monitoring and go unnoticed in the logs, the attacker renamed copies of PowerShell and the binary for running\r\nMicrosoft HTML Applications (mshta.exe); this prompted Sophos to call this a “PS Rename“ attack.\r\nThe backdoor is responsible for installing attack modules and executes a VBScript that downloads and executes a second\r\nbackdoor on systems restart. An overview of the attack is available below:\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/\r\nPage 3 of 6\n\n“The attack scripts also attempt to bypass Windows 10’s built-in anti-malware interface [AMSI], directly applying patches\r\nto it in memory,” says Sean Gallagher, Senior Threat Researcher at Sophos\r\nArtifacts found on attacked systems suggest the use of scripts based on the PowerShell Empire post-exploitation framework.\r\nTheir purpose was to collect details about the victim network, identify valuable systems, and check for available defense\r\nsolutions.\r\nGallagher says that these scripts also used regular expressions to search Windows Registry for “very specific types of\r\nbusiness software” used for point-of-sale systems or accounting.\r\nBelow is a list of with keywords of interest included in the search:\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/\r\nPage 4 of 6\n\nThe malicious code would deploy LockBit ransomware only if the targets matched a fingerprint indicating an attractive\r\ntarget, the researcher notes in a report today.\r\nQuick strike\r\nAfter picking the valuable targets, LockBit ransomware would execute in memory within five minutes using a Windows\r\nManagement Instrumentation (WMI) command.\r\n“All of the targets were hit within five minutes over WMI. The server-side file used to distribute the ransomware, along with\r\nmost of the event logs on the targeted systems and the server itself, were wiped in the course of the ransomware\r\ndeployment” - Sean Gallagher\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/\r\nPage 5 of 6\n\nThe researcher says that WMI commands could pass from a server to a system because the attack modules modified firewall\r\nrules to allow it.\r\nIn these attacks, the initial compromise method remains unknown. In a report from May, McAfee Labs and cybersecurity\r\nfirm Northwave detail how LockBit ransomware gained access to the victim network by brute-forcing an admin’s logins for\r\nan outdated VPN service.\r\nIn three hours, the malware encrypted about 25 servers and 225 computer systems.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/"
	],
	"report_names": [
		"lockbit-ransomware-moves-quietly-on-the-network-strikes-fast"
	],
	"threat_actors": [],
	"ts_created_at": 1775434107,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9349acb8273da5b13aa0f06ce3708d3b0f01aa8.pdf",
		"text": "https://archive.orkl.eu/a9349acb8273da5b13aa0f06ce3708d3b0f01aa8.txt",
		"img": "https://archive.orkl.eu/a9349acb8273da5b13aa0f06ce3708d3b0f01aa8.jpg"
	}
}